Remarks as prepared.
I’d like to add my welcome to this very important gathering. By now, we’ve all learned too well how to collaborate virtually — even a massive audience like this one spread out over so many time zones.
Every day, cyberattacks threaten individuals’ privacy, access to essential services, and even present life-or-death consequences. The impact on the American people from cyberattacks drives us at NIST to continue our work to combat these risks.
In the past 50 years that NIST has been in the cybersecurity game, the field has grown dramatically, and we and others have been innovating in response to these threats. Significant challenges remain, but NIST is committed to working with you all to address them.
Back in 1974, NIST published its first cybersecurity guide, at a time when only about 130,000 computers were available across the United States. It was a pocket-sized publication called the “Executive Guide to Computer Security.”
Today, there are billions of connected devices, evolutions in computing and artificial intelligence, and the emergence of highly sophisticated cyberattack services. The sheer scale and rapid evolution of these threats underscore the true feat that it was for NIST to develop such a simple yet broadly effective guide with the Cybersecurity Framework.
We at NIST have been thrilled with the impact the framework has had on cybersecurity and the role that it has played. It has truly become foundational for assessing an organization’s cybersecurity risks, status and needs.
The framework is being used across sectors and discussed in both the server room and the board room. Used voluntarily across many sectors, the framework’s use also has been codified and mandated in White House policies, legislation, agency policies, grants and regulations.
It also serves as a model for strengthening international cooperation on cybersecurity. The framework has been translated into multiple languages and adapted by several countries. It has been adopted in international standards and is consistently referenced in bilateral and multilateral discussions and agreements
Best of all, many organizations tell us the framework is effective and helpful. This message was reiterated in our most recent Request for Information.
Yet at NIST we strive to continuously improve and learn from our work. We updated the framework four years ago and have produced implementation guides, profiles and other tools to assist organizations in using it.
And now, based on additional stakeholder feedback, we’ve embarked on the challenge of producing CSF 2.0. Based on what stakeholders have advised us to date: The updated framework must address the changing cybersecurity landscape in terms of risks, standards and technical solutions.
And with that evolving landscape, it’s important to make sure that the framework can be applied to today’s most urgent challenges and initiatives, whether it’s zero trust, secure software procurement, or the supply chain challenges such as seen with the recent passage of the CHIPS and Science Act.
CSF 2.0 also must be more broadly applied across the federal enterprise, as well as by businesses of all sizes and sectors, nonprofits, schools and colleges, and state, local, tribal and territorial governments.
A huge factor in determining how we do is the degree to which we are successful in repeating and expanding on the collaboration that NIST benefited from in producing CSF 1.0 and 1.1.
We simply will not succeed if we don’t collaborate with you and so many others, which is why I’m so thrilled that all of you have turned out to lend a hand.